Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Anurag_Ntt
Anurag_Ntt
Explorer
Member since:
06-25-2024
08-28-2024
Community Statistics
| Posts | 4 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 06-25-2024 |
Activity Feed
- Posted Re: Need to calculate difference between two epoch timestamps from different searches on Splunk Search. 07-31-2024 11:36 AM
- Posted Need to calculate difference between two epoch timestamps from different searches on Splunk Search. 07-31-2024 10:54 AM
- Karma Re: Need to calculate difference between two epoch timestamps from two different searches where the correlation-ids are for ITWhisperer. 07-25-2024 06:51 AM
- Posted Re: Need to calculate difference between two epoch timestamps from two different searches where the correlation-ids are on Splunk Search. 07-19-2024 03:21 AM
- Posted Need to calculate difference between two epoch timestamps from two different searches where the correlation-ids are same on Splunk Search. 07-19-2024 02:11 AM
Topics I've Started
07-31-2024
11:36 AM
1- Point taken, was not a demand but a request not sure how could have I framed it to look like a request 🙂 will avoid tagging people 2-Did that thanks for the feedback 3/4/5- Data is getting extracted properly but for the systime_mcd which is null for all the correlation-ids.
... View more
07-31-2024
10:54 AM
Hi Community, I need to calculate the difference between two timestamps printed in log4j logs of java application from 3 different searches, the timestamp is printed in the log after system time keyword in the logs. Logs for search -1 2024-07-18 06:11:23.438 INFO [ traceid=8d8f1bad8549e6ac6d1c864cbcb1f706 spanid=cdb1bb734ab9eedc ] com.filler.filler.filler.MessageLoggerVisitor [TLOG4-Thread-1-7] Jul 18,2024 06:11:23 GMT|91032|PRD|SYSTEM|test-01.Autodeploy-profiles-msgdeliver|10.12.163.65|-|-|-|-|com.filler.filler.filler.message.visitor.MessageLoggerVisitor|-|PRD01032 - Processor (Ingress Processor tlog-node4) processed message with system time 1721283083437 batch id d6e50727-ffe7-4db3-83a9-351e59148be2-23-0001 correlation-id (f00d9f9e-7534-4190-99ad-ffeea14859e5-23-0001) and body ( Logs for search -2 DFM01081 - Batch having id d6e50727-ffe7-4db3-83a9-351e59148be2-23-0001 on processor-name Egress Processor, transaction status commited by consumer Logs for search-3 2024-07-18 06:11:23.487 INFO [ traceid= spanid= ] com.filler.filler.filler.message.processor.RestPublisherProcessor [PRD-1] Jul 18,2024 06:11:23 GMT|91051|PRD|SYSTEM|test-01.Autodeploy-profiles-msgdeliver|10.12.163.65|-|-|-|-|com.filler.filler.filler.message.processor.RestPublisherProcessor|-|PRD01051 - Message with correlation-id f00d9f9e-7534-4190-99ad-ffeea14859e5-23-0001 successfully published at system time 1721283083487 to MCD I am using below query to calculate the time difference. I need to filter out the correlation ids in search 1not matching the batch ids from search 2 and calculate the systime difference from the matching correlation ids b/w search-1 and search-2 which also match with search-3. The below query gives empty systime_mcd need help in getting this through sourcetype=log4j | rex "91032\|PRD\|SYSTEM\|test\-01\.Autodeploy\-profiles\-msgdeliver\|10\.12\.163\.65\|\-\|\-\|\-\|\-\|com\.filler\.filler\.filler\.message\.visitor\.MessageLoggerVisitor\|\-\|PRD01032 \- Processor (.*?) processed message with system time (?.+) batch id (?.+) correlation-id \((?.+)\) and body" |rex "DFM01081 \- Batch having id (?.+) on processor-name Egress Processor\, transaction status commited by consumer | rex "com\.filler\.filler.filler\.message\.processor\.RestPublisherProcessor\|\-\|PRD01051 \- Message with correlation\-id \((?.+)\) successfully published at system time (?.+) to MCD" | stats first(systime_batch) as systime_batch values(systime_mcd) as systime_mcd values(corrid) as corrid by batch_id_passed | mvexpand corrid | eval diff = (systime_mcd-systime_batch) @ITWhisperer can you please look into this as well, this is an extension of what you already helped with. Thanks in advance
... View more
07-19-2024
03:21 AM
Awesome.. Thanks @ITWhisperer worked like a charm 🙂
... View more
07-19-2024
02:11 AM
Hi Community, I need to calculate the difference between two timestamps printed in log4j logs of java application from two different searches, the timestamp is printed in the log after system time keyword in the logs. log for search -1 2024-07-18 06:11:23.438 INFO [ traceid=8d8f1bad8549e6ac6d1c864cbcb1f706 spanid=cdb1bb734ab9eedc ] com.filler.filler.filler.MessageLoggerVisitor [TLOG4-Thread-1-7] Jul 18,2024 06:11:23 GMT|91032|PRD|SYSTEM|test-01.Autodeploy-profiles-msgdeliver|10.12.163.65|-|-|-|-|com.filler.filler.filler.message.visitor.MessageLoggerVisitor|-|PRD01032 - Processor (Ingress Processor tlog-node4) processed message with system time 1721283083437 batch id d6e50727-ffe7-4db3-83a9-351e59148be2-23-0001 correlation-id (f00d9f9e-7534-4190-99ad-ffeea14859e5-23-0001) and body ( log for search-2 2024-07-18 06:11:23.487 INFO [ traceid= spanid= ] com.filler.filler.filler.message.processor.RestPublisherProcessor [PRD-1] Jul 18,2024 06:11:23 GMT|91051|PRD|SYSTEM|test-01.Autodeploy-profiles-msgdeliver|10.12.163.65|-|-|-|-|com.filler.filler.filler.message.processor.RestPublisherProcessor|-|PRD01051 - Message with correlation-id f00d9f9e-7534-4190-99ad-ffeea14859e5-23-0001 successfully published at system time 1721283083487 to MCD I am using below query to calculate the time difference but end up in duplicates and lot of null values, these null values are coming only when i do the calculations for individual searches null values don't pop up. "sourcetype=log4j | rex "91032\|PRD\|SYSTEM\|test\-01\.Autodeploy\-profiles\-msgdeliver\|10\.12\.163\.65\|\-\|\-\|\-\|\-\|com\.filler\.filler\.filler\.message\.visitor\.MessageLoggerVisitor\|\-\|PRD01032 \- Processor (.*?) processed message with system time (?<systime_batch>.+) batch id (.*?) correlation-id \((?<corrid_batch>.+)\) and body" | rex "com\.filler\.filler.filler\.message\.processor\.RestPublisherProcessor\|\-\|PRD01051 \- Message with correlation\-id \((?<corrid_mcd>.+)\) successfully published at system time (?<systime_mcd>.+) to MCD" | dedup corrid_batch | eval diff = (systime_mcd-systime_batch) | where corrid_mcd=corrid_batch | table diff" Kindly help in a
... View more
Labels
- Labels:
-
eval
-
field extraction
-
fields
-
join
-
rex
-
stats
-
subsearch
-
transaction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-28-2024
06:37 PM
|
